www.webdeveloper.com
Results 1 to 5 of 5

Thread: Session Security question

  1. #1
    Join Date
    Apr 2009
    Posts
    16

    Question Session Security question

    Hello,

    Thanks in advance for reading my question.

    I've created a web application but I'm worried about security. Right now I am using PHP Session values as the sole means of securing my site, and I know that session can be spoofed and that this is not fully secure.

    More specifically, when a user logs in their user ID is stored as a session variable and then each page that requires authentication checks to make sure that the session variable is set, and if it is the program then it calls the user ID via the session variable to display that user's data.

    Obviously this is not very secure... what steps should I take to make this a much more secure system?

    Thank!

  2. #2
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,178
    A couple articles from Chris Shiflett's site you might want to read:
    Session Hijacking
    Storing sessions in a database

    Better yet, get his book.
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

  3. #3
    Join Date
    Dec 2005
    Posts
    2,984
    each page that requires authentication checks to make sure that the session variable is set
    So you aren't actually doing any authentication after the login - you are just relying on a session variable being set. That part doesn't seem very secure at all, to me. You might want to store the sessionid of the logged in user in a record in the database (alongside the userid). Then, every time a page is requested that requires authentication, compare the sessionid that is requesting the page, and make sure it matches the sessionid that is in the database alongside the correct userid. Hopefully that's not too confusing for you.
    I've switched careers...
    I'm NO LONGER a scientist,
    but now a web developer...
    awesome.

  4. #4
    Join Date
    Apr 2009
    Posts
    16
    Quote Originally Posted by aj_nsc View Post
    So you aren't actually doing any authentication after the login - you are just relying on a session variable being set. That part doesn't seem very secure at all, to me. You might want to store the sessionid of the logged in user in a record in the database (alongside the userid). Then, every time a page is requested that requires authentication, compare the sessionid that is requesting the page, and make sure it matches the sessionid that is in the database alongside the correct userid. Hopefully that's not too confusing for you.
    Ah yes, that should work...

    So the idea would be that when the user logs in I would assign a sessionid session variable and insert that value into a sessionid field in the database record corresponding to that user. Then each page that the user visits would check the 'sessionid' session variable against the value that was stored in the database when they logged in. If they log out and the session variable is destroyed, then at that point the session would not function because the user would need to re-login in order for the database to match the session variable?

    Are there any limitations to this or ways around it that aren't obvious to me?

  5. #5
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,178
    This seems generally useless to me. When a PHP session is created, a unique session ID is generated. That ID is set in a cookie to be shared with the client, and the session data is saved in a file with a name based on that ID (or in a database based on that ID if you elect to go that route). Saving the ID in the database for that user is meaningless if the way you know who the user is (once s/he is logged in) is based on a value in the session data. In other words, if a session gets "hijacked", the 'hijacker" is going to appear to be that user, and by definition s/he will have hijacked that user's session ID, and so it will automatically match the ID saved in the database.
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles